GHOST Vulnerability

On January 27th 2015 the GHOST vulnerability was revealed to the public and has been assigned CVE-2015-0235 (Common Vulnerabilities and Exposures). The vulnerability is a buffer overflow bug in the glibc’s GetHost function. This is why it is called as the GHOST vulnerability.

What is glibc?

It’s the implementation of “Standard C library” described in C standards. It includes macros, symbols, functions which are used by most of the programs on the system. There are several other implementations of the “Standard C library” but the glibc package is most widely used by all the Unix/Linux distributions.

Impact

GHOST buffer overflow bug affects the gethostbyname () and gethostbyname2 () function calls in the glibc library. These functions are used to perform DNS resolution, which is a common and most frequently used task. The vulnerability allows the attacker to take complete control of the system, by making an application call to either of these functions to execute arbitrary code, with the permissions of the user running the application. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

On glibc-2.18 – On executing the above code
#[user@...ora-20 ~]$ ./GHOST
Not vulnerable

Yes, I’m affected. What’s next?

The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc.

For example:RHEL/Centos
#sudo yum update glibc

Ubuntu/Debian
#sudo apt-get upgrade glibc

NOTE: Ubuntu/Debian uses a variant of glibc called eglibc.
Now check the version of the glibc. It must be equal or later to glibc-2.18.

NOTE: Some distros may provide a patch for the older version. If you find the version number less than 2.18 even after the update, please use the above test program to find if you are vulnerable or not.
The below command will list all the binaries which uses the glibc libraries.
#lsof | grep libc | awk '{print $1}' | sort | uniq

It will return a bunch of binaries, restarting all the services is tedious task and hence a reboot is necessary since the GNU C Library is used by many applications.

About ViSolve

ViSolve is a consulting firm that provides Enterprise services like Cloud Deployment, Monitoring, Support and Security. More information about ViSolve can be found here. To know more about enhancing your data security, drop us an e-mail – services@visolve.com.